“mcs” — 2015/5/18 — 1:43 — page 263 — #271

8.6 Modular

On the first page of his masterpiece on theory, Disquisitiones Arithmeticae, Gauss introduced the notion of “congruence.” Now, Gauss is another guy who managed to cough up a half-decent idea every now and then, so let’s take a look at this one. Gauss said that a is congruent to b n iff n .a b/. This is j written a b.mod n/: ⌘ For example: 29 15 .mod 7/ because 7 .29 15/: ⌘ j It’s not useful to allow a modulus n 1, and so we will assume from now on  that moduli are greater than 1. There is a close connection between congruences and :

Lemma 8.6.1 ().

a b.mod n/ iff rem.a; n/ rem.b; n/: ⌘ D

Proof. By the Theorem 8.1.4, there exist unique pairs of q1;r1 and q2;r2 such that:

a q1n r1 D C b q2n r2; D C “mcs” — 2015/5/18 — 1:43 — page 264 — #272

264 Chapter 8

where r1;r2 Œ0::n/. Subtracting the second equation from the first gives: 2

a b .q1 q2/n .r1 r2/; D C

where r1 r2 is in the interval . n; n/. Now a b.mod n/ if and only if n ⌘ divides the left side of this equation. This is true if and only if n divides the right side, which holds if and only if r1 r2 is a multiple of n. But the only multiple of n in . n; n/ is 0, so r1 r2 must in fact equal 0, that is, when r1 rem.a; n/ WWD D r2 rem.b; n/. ⌅ WWD So we can also see that

29 15 .mod 7/ because rem.29; 7/ 1 rem.15; 7/: ⌘ D D Notice that even though “(mod 7)” appears on the end, the symbol isn’t any more ⌘ strongly associated with the 15 than with the 29. It would probably be clearer to write 29 7 15, for example, but the notation with the modulus at the end is ⌘mod firmly entrenched, and we’ll just live with it. The Remainder Lemma 8.6.1 explains why the has proper- ties like an relation. In particular, the following properties7 follow imme- diately:

Lemma 8.6.2.

a a.mod n/ (reflexivity) ⌘ a b IFF b a.mod n/ (symmetry) ⌘ ⌘ .a b AND b c/ IMPLIES a c.mod n/ (transitivity) ⌘ ⌘ ⌘ We’ll make frequent use of another immediate corollary of the Remainder Lemma 8.6.1:

Corollary 8.6.3. a rem.a; n/ .mod n/ ⌘ Still another way to think about congruence modulo n is that it defines a partition of the integers into n sets so that congruent are all in the same . For example, suppose that we’re working modulo 3. Then we can partition the integers into 3 sets as follows: :::; 6; 3; 0; 3; 6; 9; : : : f g :::; 5; 2; 1; 4; 7; 10; : : : f g :::; 4; 1; 2; 5; 8; 11; : : : f g 7Binary relations with these properties are called equivalence relations, see Section 9.10. “mcs” — 2015/5/18 — 1:43 — page 265 — #273

8.7. Remainder Arithmetic 265

according to whether their remainders on division by 3 are 0, 1, or 2. The upshot is that when arithmetic is done modulo n, there are really only n different kinds of numbers to worry about, because there are only n possible remainders. In this sense, is a simplification of ordinary arithmetic. The next most useful fact about congruences is that they are preserved by addi- tion and :

Lemma 8.6.4 (Congruence). If a b.mod n/ and c d.mod n/, then ⌘ ⌘ a c b d.mod n/; (8.7) C ⌘ C ac bd .mod n/: (8.8) ⌘ Proof. Let’s start with 8.7. Since a b.mod n/, we have by definition that ⌘ n .b a/ .b c/ .a c/, so j D C C a c b c.mod n/: C ⌘ C Since c d.mod n/, the same reasoning leads to ⌘ b c b d.mod n/: C ⌘ C Now transitivity (Lemma 8.6.2) gives

a c b d.mod n/: C ⌘ C The proof for 8.8 is virtually identical, using the fact that if n divides .b a/, then it certainly also divides .bc ac/. ⌅

8.7 Remainder Arithmetic

The Congruence Lemma 8.6.1 says that two numbers are congruent iff their remain- ders are equal, so we can understand congruences by working out arithmetic with remainders. And if all we want is the remainder modulo n of a series of , , applied to some numbers, we can take remainders at every step so that the entire computation only involves number in the range Œ0::n/. “mcs” — 2015/5/18 — 1:43 — page 266 — #274

266 Chapter 8 Number Theory

General Principle of Remainder Arithmetic To find the remainder on division by n of the result of a series of additions and multiplications, applied to some integers

replace each operand by its remainder on division by n, ✏ keep each result of an or multiplication in the range Œ0::n/ by im- ✏ mediately replacing any result outside that range by its remainder on divi- sion by n.

For example, suppose we want to find

rem..444273456789 155558585555/4036666666; 36/: (8.9) C This looks really daunting if you think about computing these large powers and then taking remainders. For example, the decimal representation of 444273456789 has about 20 million digits, so we certainly don’t want to go that route. But re- membering that integer exponents specify a series of multiplications, we follow the General Principle and replace the numbers being multiplied by their remainders. Since rem.44427; 36/ 3; rem.15555858; 36/ 6, and rem.403; 36/ 7, we D D D find that (8.9) equals the remainder on division by 36 of

.33456789 65555/76666666: (8.10) C That’s a little better, but 33456789 has about a million digits in its decimal represen- tation, so we still don’t want to compute that. But let’s look at the remainders of the first few powers of 3:

rem.3; 36/ 3 D rem.32; 36/ 9 D rem.33; 36/ 27 D rem.34; 36/ 9: D We got a repeat of the second step, rem.32; 36/ after just two more steps. This means means that starting at 32, the sequence of remainders of successive powers of 3 will keep repeating every 2 steps. So a of an odd number of at least three 3’s will have the same remainder on division by 36 as a product of just three 3’s. Therefore, rem.33456789; 36/ rem.33; 36/ 27: D D “mcs” — 2015/5/18 — 1:43 — page 267 — #275

8.7. Remainder Arithmetic 267

What a win! Powers of 6 are even easier because rem.62; 36/ 0, so 0’s keep repeating after D the second step. Powers of 7 repeat after six steps, but on the fifth step you get a 1, that is rem.76; 36/ 1, so (8.10) successively simplifies to be the remainders of D the following terms:

.33456789 65555/76666666 C .33 62 65553/.76/1111111 C .33 0 65553/11111111 C 27: D Notice that it would be a disastrous blunder to replace an exponent by its re- mainder. The general principle applies to numbers that are operands of plus and times, whereas the exponent is a number that controls how many multiplications to perform. Watch out for this.

8.7.1 The Zn It’s time to be more precise about the general principle and why it works. To begin, let’s introduce the notation n for doing an addition and then immediately taking C a remainder on division by n, as specified by the general principle; likewise for multiplying:

i n j rem.i j; n/; C WWD C i n j rem.ij; n/: WWD Now the General Principle is simply the repeated application of the following lemma.

Lemma 8.7.1.

rem.i j; n/ rem.i; n/ n rem.j; n/; (8.11) C D C rem.ij; n/ rem.i; n/ n rem.j; n/: (8.12) D Proof. By Corollary 8.6.3, i rem.i; n/ and j rem.j; n/, so by the Congru- ⌘ ⌘ ence Lemma 8.6.4

i j rem.i; n/ rem.j; n/ .mod n/: C ⌘ C By Corollary 8.6.3 again, the remainders on each side of this congruence are equal, which immediately gives (8.11). An identical proof applies to (8.12). ⌅ “mcs” — 2015/5/18 — 1:43 — page 268 — #276

268 Chapter 8 Number Theory

The set of integers in the range Œ0::n/ together with the operations n and n is C referred to as Zn, the modulo n. As a consequence of Lemma 8.7.1, the familiar rules of arithmetic hold in Zn, for example:

.i n j/ n k i n .j n k/: D These subscript-n’s on arithmetic operations really clog things up, so instead we’ll just write “(Zn)” on the side to get a simpler looking equation:

.i j/ k i .j k/ .Zn/: D 8 In particular, all of the following equalities are true in Zn: .i j/ k i .j k/ (associativity of ); D .i j/ k i .j k/ (associativity of ); C C D C C C 1 k k (identity for ); D 0 k k (identity for ); C D C k . k/ 0 (inverse for ); C D C i j j i (commutativity of ) C D C C i .j k/ .i j/ .i k/ (distributivity); C D C i j j i (commutativity of ) D

Associativity implies the familiar fact that it’s safe to omit the parentheses in products: k1 k2 km comes out the same in Zn no matter how it is parenthesized. The overall theme is that remainder arithmetic is a lot like ordinary arithmetic. But there are a couple of exceptions we’re about to examine.

8.8 Turing’s Code (Version 2.0)

In 1940, France had fallen before Hitler’s army, and Britain stood alone against the Nazis in western Europe. British resistance depended on a steady flow of sup-

8A set with addition and multiplication operations that satisfy these equalities is known as a . In addition to Zn, the integers, rationals, reals, and with integer coefficients are all examples of commutative rings. On the other hand, the set T; F of truth values f g with OR for addition and AND for multiplication is not a commutative ring because it fails to satisfy one of these equalities. The n n matrices of integers are not a commutative ring because they fail ⇥ to satisfy another one of these equalities. “mcs” — 2015/5/18 — 1:43 — page 269 — #277

8.8. Turing’s Code (Version 2.0) 269 plies brought across the north Atlantic from the United States by convoys of ships. These convoys were engaged in a cat-and-mouse game with German “U-boats” —submarines—which prowled the Atlantic, trying to sink supply ships and starve Britain into submission. The outcome of this struggle pivoted on a balance of in- formation: could the Germans locate convoys better than the Allies could locate U-boats, or vice versa? Germany lost. A critical reason behind Germany’s loss was not made public until 1974: Ger- many’s naval code, Enigma, had been broken by the Polish Cipher Bureau,9 and the secret had been turned over to the British a few weeks before the Nazi invasion of Poland in 1939. Throughout much of the war, the Allies were able to route con- voys around German submarines by listening in to German communications. The British government didn’t explain how Enigma was broken until 1996. When the story was finally released (by the US), it revealed that Alan Turing had joined the secret British codebreaking effort at Bletchley Park in 1939, where he became the lead developer of methods for rapid, bulk decryption of German Enigma messages. Turing’s Enigma deciphering was an invaluable contribution to the Allied victory over Hitler. Governments are always tight-lipped about , but the half-century of official silence about Turing’s role in breaking Enigma and saving Britain may be related to some disturbing events after the war—more on that later. Let’s get back to number theory and consider an alternative interpretation of Turing’s code. Perhaps we had the basic idea right (multiply the message by the key), but erred in using conventional arithmetic instead of modular arithmetic. Maybe this is what Turing meant:

Beforehand The sender and receiver agree on a large number n, which may be made public. (This will be the modulus for all our arithmetic.) As in Version 1.0, they also agree that some k

Encryption As in Version 1.0, the message m should be another prime in Œ0::n/. The sender encrypts the message m to producem by computing mk, but this time modulo n: m m k.Zn/ (8.13) WWD b

Decryption (Uh-oh.) b The decryption step is a problem. We might hope to decrypt in the same way as before by dividing the encrypted message m by the key k. The difficulty is that m

9See http://en.wikipedia.org/wiki/Polish Cipher Bureau. b b “mcs” — 2015/5/18 — 1:43 — page 270 — #278

270 Chapter 8 Number Theory

is the remainder when mk is divided by n. So dividing m by k might not even give us an integer! This decoding difficulty can be overcome with a betterb understanding of when it is ok to divide by k in modular arithmetic.

8.9 Multiplicative Inverses and Cancelling

1 The of a number x is another number x such that

x 1 x 1: D From now on, when we say “inverse,” we mean multiplicative (not relational) in- verse. For example, over the rational numbers, 1=3 is, of course, an inverse of 3, since, 1 3 1: 3 D In fact, with the sole exception of 0, every n=m has an inverse, namely, m=n. On the other hand, over the integers, only 1 and -1 have inverses. Over the ring Zn, things get a little more complicated. For example, in Z15, 2 is a multiplicative inverse of 8, since

2 8 1.Z15/: D On the other hand, 3 does not have a multiplicative inverse in Z15. We can prove this by contradiction: suppose there was an inverse j for 3, that is

1 3 j.Z15/: D Then multiplying both sides of this equality by 5 leads directly to the contradiction 5 0: D 5 5 .3 j/ D .5 3/ j D 0 j 0.Z15/: D D So there can’t be any such inverse j . So some numbers have inverses modulo 15 and others don’t. This may seem a little unsettling at first, but there’s a simple explanation of what’s going on. “mcs” — 2015/5/18 — 1:43 — page 271 — #279

8.9. Multiplicative Inverses and Cancelling 271

8.9.1 Relative Primality Integers that have no prime factor in common are called relatively prime.10 This is the same as having no common (prime or not) greater than 1. It’s also equivalent to saying gcd.a; b/ 1. D For example, 8 and 15 are relatively prime, since gcd.8; 15/ 1. On the other D hand, 3 and 15 are not relatively prime, since gcd.3; 15/ 3 1. This turns out D ¤ to explain why 8 has an inverse over Z15 and 3 does not.

Lemma 8.9.1. If k Œ0::n/ is relatively prime to n, then k has an inverse in Zn. 2 Proof. If k is relatively prime to n, then gcd.n; k/ 1 by definition of gcd. This D means we can use the Pulverizer from section 8.2.2 to find a linear combination of n and k equal to 1: sn tk 1: C D So applying the General Principle of Remainder Arithmetic (Lemma 8.7.1), we get

.rem.s; n/ rem.n; n// .rem.t; n/ rem.k; n// 1.Zn/: C D But rem.n; n/ 0, and rem.k; n/ k since k Œ0::n/, so we get D D 2 rem.t; n/ k 1.Zn/: D Thus, rem.t; n/ is a multiplicative inverse of k. ⌅ By the way, it’s nice to know that when they exist, inverses are unique. That is,

Lemma 8.9.2. If i and j are both inverses of k in Zn, then i j . D Proof. i i 1 i .k j/ .i k/ j 1 j j.Zn/: D D D D D ⌅ So the proof of Lemma 8.9.1 shows that for any k relatively prime to n, the inverse of k in Zn is simply the remainder of a coefficient we can easily find using the Pulverizer. Working with a prime modulus is attractive here because, like the rational and real numbers, when p is prime, every nonzero number has an inverse in Zp. But arithmetic modulo a composite is really only a little more painful than working modulo a prime—though you may think this is like the doctor saying, “This is only going to hurt a little,” before he jams a big needle in your arm.

10Other texts call them coprime. “mcs” — 2015/5/18 — 1:43 — page 272 — #280

272 Chapter 8 Number Theory

8.9.2 Cancellation Another sense in which real numbers are nice is that it’s ok to cancel common factors. In other words, if we know that tr ts for real numbers r; s; t, then D as long as t 0, we can cancel the t’s and conclude that r s. In general, ¤ D cancellation is not valid in Zn. For example,

3 10 3 5.Z15/; (8.14) D but cancelling the 3’s leads to the absurd conclusion that 10 equals 5. The fact that multiplicative terms cannot be cancelled is the most significant way in which Zn arithmetic differs from ordinary integer arithmetic.

Definition 8.9.3. A number k is cancellable in Zn iff

k a k b implies a b.Zn/ D D for all a; b Œ0::n/. 2 If a number is relatively prime to 15, it can be cancelled by multiplying by its inverse. So cancelling works for numbers that have inverses:

Lemma 8.9.4. If k has an inverse in Zn, then it is cancellable. But 3 is not relatively prime to 15, and that’s why it is not cancellable. More generally, if k is not relatively prime to n, then we can show it isn’t cancellable in Zn in the same way we showed that 3 is not cancellable in (8.14). To summarize, we have Theorem 8.9.5. The following are equivalent for k Œ0::n/: 2 gcd.k; n/ 1; D k has an inverse in Zn; k is cancellable in Zn:

8.9.3 Decrypting (Version 2.0) Multiplicative inverses are the key to decryption in Turing’s code. Specifically, we can recover the original message by multiplying the encoded message by the Zn-inverse, j , of the key:

m j .m k/ j m .k j/ m 1 m.Zn/: D D D D So all we need to decrypt the message is to find an inverse of the secret key k, which will be easy usingb the Pulverizer—providing k has an inverse. But k is positive and less than the modulus n, so one simple way to ensure that k is relatively prime to the modulus is to have n be a prime number. “mcs” — 2015/5/18 — 1:43 — page 273 — #281

8.9. Multiplicative Inverses and Cancelling 273

8.9.4 Breaking Turing’s Code (Version 2.0) The Germans didn’t bother to encrypt their weather reports with the highly-secure Enigma system. After all, so what if the Allies learned that there was rain off the south coast of Iceland? But amazingly, this practice provided the British with a critical edge in the Atlantic naval battle during 1941. The problem was that some of those weather reports had originally been trans- mitted using Enigma from U-boats out in the Atlantic. Thus, the British obtained both unencrypted reports and the same reports encrypted with Enigma. By com- paring the two, the British were able to determine which key the Germans were using that day and could read all other Enigma-encoded traffic. Today, this would be called a known-plaintext attack. Let’s see how a known-plaintext attack would work against Turing’s code. Sup- pose that the Nazis know both the plain text, m, and its encrypted form, m. Now in Version 2.0, m m k.Zn/; D b and since m is positive and less than the prime n, the Nazis can use the Pulverizer b to find the Zn-inverse, j , of m. Now

j m j .m k/ .j m/ k 1 k k.Zn/: D D D D So by computing j m k.Zn/, the Nazis get the secret key and can then decrypt b D any message! This is a huge vulnerabilityb , so Turing’s hypothetical Version 2.0 code has no practical value. Fortunately, Turing got better at cryptography after devising this code; his subsequent deciphering of Enigma messages surely saved thousands of lives, if not the whole of Britain.

8.9.5 Turing Postscript A few years after the war, Turing’s home was robbed. Detectives soon determined that a former homosexual lover of Turing’s had conspired in the robbery. So they arrested him—that is, they arrested Alan Turing—because at that time in Britain, homosexuality was a crime punishable by up to two years in prison. Turing was sentenced to a hormonal “treatment” for his homosexuality: he was given estrogen injections. He began to develop breasts. Three years later, Alan Turing, the founder of , was dead. His mother explained what happened in a biography of her own son. Despite her re- peated warnings, Turing carried out chemistry experiments in his own home. Ap- parently, her worst fear was realized: by working with potassium cyanide while eating an apple, he poisoned himself. “mcs” — 2015/5/18 — 1:43 — page 274 — #282

274 Chapter 8 Number Theory

However, Turing remained a puzzle to the very end. His mother was a devout woman who considered suicide a sin. And, other biographers have pointed out, Turing had previously discussed committing suicide by eating a poisoned apple. Evidently, Alan Turing, who founded computer science and saved his country, took his own life in the end, and in just such a way that his mother could believe it was an accident. Turing’s last project before he disappeared from public view in 1939 involved the construction of an elaborate mechanical device to test a mathematical conjecture called the Riemann Hypothesis. This conjecture first appeared in a sketchy paper by Bernhard Riemann in 1859 and is now one of the most famous unsolved problems in mathematics. MIT OpenCourseWare https://ocw.mit.edu

6.042J / 18.062J Mathematics for Computer Science Spring 2015

For information about citing these materials or our Terms of Use, visit: https://ocw.mit.edu/terms.